Vulnerabilities > CVE-2017-13695 - Information Exposure vulnerability in Linux Kernel
Attack vector
LOCAL Attack complexity
LOW Privileges required
NONE Confidentiality impact
PARTIAL Integrity impact
NONE Availability impact
NONE Summary
The acpi_ns_evaluate() function in drivers/acpi/acpica/nseval.c in the Linux kernel through 4.12.9 does not flush the operand cache and causes a kernel stack dump, which allows local users to obtain sensitive information from kernel memory and bypass the KASLR protection mechanism (in the kernel through 4.9) via a crafted ACPI table.
Vulnerable Configurations
Common Weakness Enumeration (CWE)
Common Attack Pattern Enumeration and Classification (CAPEC)
- Subverting Environment Variable Values The attacker directly or indirectly modifies environment variables used by or controlling the target software. The attacker's goal is to cause the target software to deviate from its expected operation in a manner that benefits the attacker.
- Footprinting An attacker engages in probing and exploration activity to identify constituents and properties of the target. Footprinting is a general term to describe a variety of information gathering techniques, often used by attackers in preparation for some attack. It consists of using tools to learn as much as possible about the composition, configuration, and security mechanisms of the targeted application, system or network. Information that might be collected during a footprinting effort could include open ports, applications and their versions, network topology, and similar information. While footprinting is not intended to be damaging (although certain activities, such as network scans, can sometimes cause disruptions to vulnerable applications inadvertently) it may often pave the way for more damaging attacks.
- Exploiting Trust in Client (aka Make the Client Invisible) An attack of this type exploits a programs' vulnerabilities in client/server communication channel authentication and data integrity. It leverages the implicit trust a server places in the client, or more importantly, that which the server believes is the client. An attacker executes this type of attack by placing themselves in the communication channel between client and server such that communication directly to the server is possible where the server believes it is communicating only with a valid client. There are numerous variations of this type of attack.
- Browser Fingerprinting An attacker carefully crafts small snippets of Java Script to efficiently detect the type of browser the potential victim is using. Many web-based attacks need prior knowledge of the web browser including the version of browser to ensure successful exploitation of a vulnerability. Having this knowledge allows an attacker to target the victim with attacks that specifically exploit known or zero day weaknesses in the type and version of the browser used by the victim. Automating this process via Java Script as a part of the same delivery system used to exploit the browser is considered more efficient as the attacker can supply a browser fingerprinting method and integrate it with exploit code, all contained in Java Script and in response to the same web page request by the browser.
- Session Credential Falsification through Prediction This attack targets predictable session ID in order to gain privileges. The attacker can predict the session ID used during a transaction to perform spoofing and session hijacking.
Nessus
NASL family OracleVM Local Security Checks NASL id ORACLEVM_OVMSA-2018-0258.NASL description The remote OracleVM system is missing necessary patches to address critical security updates : - nsfs: mark dentry with DCACHE_RCUACCESS (Cong Wang) [Orabug: 28576290] (CVE-2018-5873) - dm crypt: add middle-endian variant of plain64 IV (Konrad Rzeszutek Wilk) [Orabug: 28604628] - IB/ipoib: Improve filtering log message (Yuval Shaia) [Orabug: 28655409] - IB/ipoib: Fix wrong update of arp_blocked counter (Yuval Shaia) - IB/ipoib: Update RX counters after ACL filtering (Yuval Shaia) - IB/ipoib: Filter RX packets before adding pseudo header (Yuval Shaia) - cdrom: Fix info leak/OOB read in cdrom_ioctl_drive_status (Scott Bauer) [Orabug: 28664501] (CVE-2018-16658) - ACPICA: acpi: acpica: fix acpi operand cache leak in nseval.c (Seunghun Han) [Orabug: 28664577] (CVE-2017-13695) - uek-rpm: Disable deprecated CONFIG_ACPI_PROCFS_POWER (Victor Erminpour) [Orabug: 28680213] last seen 2020-06-01 modified 2020-06-02 plugin id 117764 published 2018-09-27 reporter This script is Copyright (C) 2018-2019 and is owned by Tenable, Inc. or an Affiliate thereof. source https://www.tenable.com/plugins/nessus/117764 title OracleVM 3.4 : Unbreakable / etc (OVMSA-2018-0258) code # # (C) Tenable Network Security, Inc. # # The package checks in this plugin were extracted from OracleVM # Security Advisory OVMSA-2018-0258. # include("compat.inc"); if (description) { script_id(117764); script_version("1.2"); script_cvs_date("Date: 2019/09/27 13:00:35"); script_cve_id("CVE-2017-13695", "CVE-2018-16658", "CVE-2018-5873"); script_name(english:"OracleVM 3.4 : Unbreakable / etc (OVMSA-2018-0258)"); script_summary(english:"Checks the RPM output for the updated packages."); script_set_attribute( attribute:"synopsis", value:"The remote OracleVM host is missing one or more security updates." ); script_set_attribute( attribute:"description", value: "The remote OracleVM system is missing necessary patches to address critical security updates : - nsfs: mark dentry with DCACHE_RCUACCESS (Cong Wang) [Orabug: 28576290] (CVE-2018-5873) - dm crypt: add middle-endian variant of plain64 IV (Konrad Rzeszutek Wilk) [Orabug: 28604628] - IB/ipoib: Improve filtering log message (Yuval Shaia) [Orabug: 28655409] - IB/ipoib: Fix wrong update of arp_blocked counter (Yuval Shaia) - IB/ipoib: Update RX counters after ACL filtering (Yuval Shaia) - IB/ipoib: Filter RX packets before adding pseudo header (Yuval Shaia) - cdrom: Fix info leak/OOB read in cdrom_ioctl_drive_status (Scott Bauer) [Orabug: 28664501] (CVE-2018-16658) - ACPICA: acpi: acpica: fix acpi operand cache leak in nseval.c (Seunghun Han) [Orabug: 28664577] (CVE-2017-13695) - uek-rpm: Disable deprecated CONFIG_ACPI_PROCFS_POWER (Victor Erminpour) [Orabug: 28680213]" ); # https://oss.oracle.com/pipermail/oraclevm-errata/2018-September/000893.html script_set_attribute( attribute:"see_also", value:"http://www.nessus.org/u?851cd234" ); script_set_attribute( attribute:"solution", value:"Update the affected kernel-uek / kernel-uek-firmware packages." ); script_set_cvss_base_vector("CVSS2#AV:L/AC:M/Au:N/C:C/I:C/A:C"); script_set_cvss3_base_vector("CVSS:3.0/AV:L/AC:H/PR:L/UI:N/S:U/C:H/I:H/A:H"); script_set_attribute(attribute:"plugin_type", value:"local"); script_set_attribute(attribute:"cpe", value:"p-cpe:/a:oracle:vm:kernel-uek"); script_set_attribute(attribute:"cpe", value:"p-cpe:/a:oracle:vm:kernel-uek-firmware"); script_set_attribute(attribute:"cpe", value:"cpe:/o:oracle:vm_server:3.4"); script_set_attribute(attribute:"vuln_publication_date", value:"2017/08/25"); script_set_attribute(attribute:"patch_publication_date", value:"2018/09/26"); script_set_attribute(attribute:"plugin_publication_date", value:"2018/09/27"); script_set_attribute(attribute:"generated_plugin", value:"current"); script_end_attributes(); script_category(ACT_GATHER_INFO); script_copyright(english:"This script is Copyright (C) 2018-2019 and is owned by Tenable, Inc. or an Affiliate thereof."); script_family(english:"OracleVM Local Security Checks"); script_dependencies("ssh_get_info.nasl"); script_require_keys("Host/local_checks_enabled", "Host/OracleVM/release", "Host/OracleVM/rpm-list"); exit(0); } include("audit.inc"); include("global_settings.inc"); include("rpm.inc"); if (!get_kb_item("Host/local_checks_enabled")) audit(AUDIT_LOCAL_CHECKS_NOT_ENABLED); release = get_kb_item("Host/OracleVM/release"); if (isnull(release) || "OVS" >!< release) audit(AUDIT_OS_NOT, "OracleVM"); if (! preg(pattern:"^OVS" + "3\.4" + "(\.[0-9]|$)", string:release)) audit(AUDIT_OS_NOT, "OracleVM 3.4", "OracleVM " + release); if (!get_kb_item("Host/OracleVM/rpm-list")) audit(AUDIT_PACKAGE_LIST_MISSING); cpu = get_kb_item("Host/cpu"); if (isnull(cpu)) audit(AUDIT_UNKNOWN_ARCH); if ("x86_64" >!< cpu && cpu !~ "^i[3-6]86$") audit(AUDIT_LOCAL_CHECKS_NOT_IMPLEMENTED, "OracleVM", cpu); if ("x86_64" >!< cpu) audit(AUDIT_ARCH_NOT, "x86_64", cpu); flag = 0; if (rpm_check(release:"OVS3.4", reference:"kernel-uek-4.1.12-124.19.5.el6uek")) flag++; if (rpm_check(release:"OVS3.4", reference:"kernel-uek-firmware-4.1.12-124.19.5.el6uek")) flag++; if (flag) { if (report_verbosity > 0) security_warning(port:0, extra:rpm_report_get()); else security_warning(0); exit(0); } else { tested = pkg_tests_get(); if (tested) audit(AUDIT_PACKAGE_NOT_AFFECTED, tested); else audit(AUDIT_PACKAGE_NOT_INSTALLED, "kernel-uek / kernel-uek-firmware"); }NASL family Fedora Local Security Checks NASL id FEDORA_2018-7C2E0A998D.NASL description Security fix for CVE-2017-13693, CVE-2017-13694, CVE-2017-13695. This provides fixes for the user space ACPICA tools only. Any kernel updates are handled separately. This update also includes the upgrade to the 20190209 version of the upstream source. ---------------------------------------- 09 February 2018. Summary of changes for version 20180209 : 1) ACPICA kernel-resident subsystem : Completed the final integration of the recent changes to Package Object handling and the module-level AML code support. This allows forward references from individual package elements when the package object is declared from within module-level code blocks. Provides compatibility with other ACPI implementations. The new architecture for the AML module-level code has been completed and is now the default for the ACPICA code. This new architecture executes the module-level code in-line as the ACPI table is loaded/parsed instead of the previous architecture which deferred this code until after the table was fully loaded. This solves some ASL code ordering issues and provides compatibility with other ACPI implementations. At this time, there is an option to fallback to the earlier architecture, but this support is deprecated and is planned to be completely removed later this year. Added a compile-time option to ignore AE_NOT_FOUND exceptions during resolution of named reference elements within Package objects. Although this is potentially a serious problem, it can generate a lot of noise/errors on platforms whose firmware carries around a bunch of unused Package objects. To disable these errors, define ACPI_IGNORE_PACKAGE_RESOLUTION_ERRORS in the OS-specific header. All errors are always reported for ACPICA applications such as AcpiExec. Fixed a regression related to the explicit type-conversion AML operators (ToXXXX). The regression was introduced early in 2017 but was not seen until recently because these operators are not fully supported by other ACPI implementations and are thus rarely used by firmware developers. The operators are defined by the ACPI specification to not implement the last seen 2020-06-05 modified 2018-04-02 plugin id 108777 published 2018-04-02 reporter This script is Copyright (C) 2018-2020 and is owned by Tenable, Inc. or an Affiliate thereof. source https://www.tenable.com/plugins/nessus/108777 title Fedora 27 : acpica-tools (2018-7c2e0a998d) NASL family Ubuntu Local Security Checks NASL id UBUNTU_USN-3696-2.NASL description USN-3696-1 fixed vulnerabilities in the Linux kernel for Ubuntu 16.04 LTS. This update provides the corresponding updates for the Linux Hardware Enablement (HWE) kernel from Ubuntu 16.04 LTS for Ubuntu 14.04 LTS. It was discovered that an integer overflow existed in the perf subsystem of the Linux kernel. A local attacker could use this to cause a denial of service (system crash). (CVE-2017-18255) Wei Fang discovered an integer overflow in the F2FS filesystem implementation in the Linux kernel. A local attacker could use this to cause a denial of service. (CVE-2017-18257) It was discovered that an information leak existed in the generic SCSI driver in the Linux kernel. A local attacker could use this to expose sensitive information (kernel memory). (CVE-2018-1000204) It was discovered that the wait4() system call in the Linux kernel did not properly validate its arguments in some situations. A local attacker could possibly use this to cause a denial of service. (CVE-2018-10087) It was discovered that the kill() system call implementation in the Linux kernel did not properly validate its arguments in some situations. A local attacker could possibly use this to cause a denial of service. (CVE-2018-10124) Julian Stecklina and Thomas Prescher discovered that FPU register states (such as MMX, SSE, and AVX registers) which are lazily restored are potentially vulnerable to a side channel attack. A local attacker could use this to expose sensitive information. (CVE-2018-3665) Jakub Jirasek discovered that multiple use-after-errors existed in the USB/IP implementation in the Linux kernel. A local attacker could use this to cause a denial of service (system crash) or possibly execute arbitrary code. (CVE-2018-5814) It was discovered that an information leak vulnerability existed in the floppy driver in the Linux kernel. A local attacker could use this to expose sensitive information (kernel memory). (CVE-2018-7755) Seunghun Han discovered an information leak in the ACPI handling code in the Linux kernel when handling early termination of ACPI table loading. A local attacker could use this to expose sensitive informal (kernel address locations). (CVE-2017-13695) It was discovered that a memory leak existed in the Serial Attached SCSI (SAS) implementation in the Linux kernel. A physically proximate attacker could use this to cause a denial of service (memory exhaustion). (CVE-2018-10021). Note that Tenable Network Security has extracted the preceding description block directly from the Ubuntu security advisory. Tenable has attempted to automatically clean and format it as much as possible without introducing additional issues. last seen 2020-06-01 modified 2020-06-02 plugin id 110897 published 2018-07-03 reporter Ubuntu Security Notice (C) 2018-2019 Canonical, Inc. / NASL script (C) 2018-2019 and is owned by Tenable, Inc. or an Affiliate thereof. source https://www.tenable.com/plugins/nessus/110897 title Ubuntu 14.04 LTS : linux-lts-xenial, linux-aws vulnerabilities (USN-3696-2) NASL family Oracle Linux Local Security Checks NASL id ORACLELINUX_ELSA-2018-4250.NASL description Description of changes: [2.6.39-400.302.2.el6uek] - Revert last seen 2020-06-01 modified 2020-06-02 plugin id 118107 published 2018-10-15 reporter This script is Copyright (C) 2018-2019 and is owned by Tenable, Inc. or an Affiliate thereof. source https://www.tenable.com/plugins/nessus/118107 title Oracle Linux 6 : Unbreakable Enterprise kernel (ELSA-2018-4250) NASL family Oracle Linux Local Security Checks NASL id ORACLELINUX_ELSA-2018-4227.NASL description Description of changes: [4.1.12-124.19.5.el7uek] - nsfs: mark dentry with DCACHE_RCUACCESS (Cong Wang) [Orabug: 28576290] {CVE-2018-5873} - dm crypt: add middle-endian variant of plain64 IV (Konrad Rzeszutek Wilk) [Orabug: 28604628] - IB/ipoib: Improve filtering log message (Yuval Shaia) [Orabug: 28655409] - IB/ipoib: Fix wrong update of arp_blocked counter (Yuval Shaia) [Orabug: 28655409] - IB/ipoib: Update RX counters after ACL filtering (Yuval Shaia) [Orabug: 28655409] - IB/ipoib: Filter RX packets before adding pseudo header (Yuval Shaia) [Orabug: 28655409] - cdrom: Fix info leak/OOB read in cdrom_ioctl_drive_status (Scott Bauer) [Orabug: 28664501] {CVE-2018-16658} - ACPICA: acpi: acpica: fix acpi operand cache leak in nseval.c (Seunghun Han) [Orabug: 28664577] {CVE-2017-13695} - uek-rpm: Disable deprecated CONFIG_ACPI_PROCFS_POWER (Victor Erminpour) [Orabug: 28680213] last seen 2020-06-01 modified 2020-06-02 plugin id 117769 published 2018-09-27 reporter This script is Copyright (C) 2018-2019 and is owned by Tenable, Inc. or an Affiliate thereof. source https://www.tenable.com/plugins/nessus/117769 title Oracle Linux 6 / 7 : Unbreakable Enterprise kernel (ELSA-2018-4227) NASL family Oracle Linux Local Security Checks NASL id ORACLELINUX_ELSA-2018-4242.NASL description Description of changes: [4.14.35-1818.3.3.el7uek] - net: net_failover: fix typo in net_failover_slave_register() (Liran Alon) [Orabug: 28122110] - virtio_net: Extend virtio to use VF datapath when available (Sridhar Samudrala) [Orabug: 28122110] - virtio_net: Introduce VIRTIO_NET_F_STANDBY feature bit (Sridhar Samudrala) [Orabug: 28122110] - net: Introduce net_failover driver (Sridhar Samudrala) [Orabug: 28122110] - net: Introduce generic failover module (Sridhar Samudrala) [Orabug: 28122110] - IB/ipoib: Improve filtering log message (Yuval Shaia) [Orabug: 28655435] - IB/ipoib: Fix wrong update of arp_blocked counter (Yuval Shaia) [Orabug: 28655435] - IB/ipoib: Update RX counters after ACL filtering (Yuval Shaia) [Orabug: 28655435] - IB/ipoib: Filter RX packets before adding pseudo header (Yuval Shaia) [Orabug: 28655435] - dm crypt: add middle-endian variant of plain64 IV (Konrad Rzeszutek Wilk) [Orabug: 28604629] - uek-rpm: Disable deprecated CONFIG_ACPI_PROCFS_POWER (Victor Erminpour) [Orabug: 28644322] - net/rds: Fix call to sleeping function in a non-sleeping context (Hå kon Bugge) [Orabug: 28657397] - cdrom: Fix info leak/OOB read in cdrom_ioctl_drive_status (Scott Bauer) [Orabug: 28664499] {CVE-2018-16658} - ACPICA: acpi: acpica: fix acpi operand cache leak in nseval.c (Seunghun Han) [Orabug: 28664576] {CVE-2017-13695} - usb: xhci: do not create and register shared_hcd when USB3.0 is disabled (Tung Nguyen) [Orabug: 28677854] [4.14.35-1818.3.2.el7uek] - hwmon: (k10temp) Display both Tctl and Tdie (Guenter Roeck) [Orabug: 28143470] - hwmon: (k10temp) Use API function to access System Management Network (Guenter Roeck) [Orabug: 28143470] - hwmon: (k10temp) Fix reading critical temperature register (Guenter Roeck) [Orabug: 28143470] - hwmon: (k10temp) Add temperature offset for Ryzen 2700X (Guenter Roeck) [Orabug: 28143470] - hwmon: (k10temp) Add support for temperature offsets (Guenter Roeck) [Orabug: 28143470] - hwmon: (k10temp) Add support for family 17h (Guenter Roeck) [Orabug: 28143470] - hwmon: (k10temp) Move chip specific code into probe function (Guenter Roeck) [Orabug: 28143470] - net/rds: make the source code clean (Zhu Yanjun) [Orabug: 28607913] - net/rds: Use rdma_read_gids to get connection SGID/DGID in IPv6 (Zhu Yanjun) [Orabug: 28607913] - net/rds: Use rdma_read_gids to read connection GIDs (Parav Pandit) [Orabug: 28607913] - posix-timers: Sanitize overrun handling (Thomas Gleixner) [Orabug: 28642970] {CVE-2018-12896} - crypto: ccp - Add support for new CCP/PSP device ID (Tom Lendacky) [Orabug: 28584386] - crypto: ccp - Support register differences between PSP devices (Tom Lendacky) [Orabug: 28584386] - crypto: ccp - Remove unused #defines (Tom Lendacky) [Orabug: 28584386] - crypto: ccp - Add psp enabled message when initialization succeeds (Tom Lendacky) [Orabug: 28584386] - crypto: ccp - Fix command completion detection race (Tom Lendacky) [Orabug: 28584386] - iommu/amd: Add support for IOMMU XT mode (Suravee Suthikulpanit) [Orabug: 28584386] - iommu/amd: Add support for higher 64-bit IOMMU Control Register (Suravee Suthikulpanit) [Orabug: 28584386] - x86: irq_remapping: Move irq remapping mode enum (Suravee Suthikulpanit) [Orabug: 28584386] - x86/CPU/AMD: Fix LLC ID bit-shift calculation (Suravee Suthikulpanit) [Orabug: 28584386] - x86/CPU/AMD: Derive CPU topology from CPUID function 0xB when available (Suravee Suthikulpanit) [Orabug: 28584386] - x86/CPU/AMD: Calculate last level cache ID from number of sharing threads (Suravee Suthikulpanit) [Orabug: 28584386] - x86/CPU: Rename intel_cacheinfo.c to cacheinfo.c (Borislav Petkov) [Orabug: 28584386] - perf/events/amd/uncore: Fix amd_uncore_llc ID to use pre-defined cpu_llc_id (Suravee Suthikulpanit) [Orabug: 28584386] - x86/CPU/AMD: Have smp_num_siblings and cpu_llc_id always be present (Borislav Petkov) [Orabug: 28584386] [4.14.35-1818.3.1.el7uek] - arm64: vdso: fix clock_getres for 4GiB-aligned res (Mark Rutland) [Orabug: 28603375] - locking/qrwlock: Prevent slowpath writers getting held up by fastpath (Will Deacon) [Orabug: 28605196] - locking/qrwlock, arm64: Move rwlock implementation over to qrwlocks (Will Deacon) [Orabug: 28605196] - locking/qrwlock: Use atomic_cond_read_acquire() when spinning in qrwlock (Will Deacon) [Orabug: 28605196] - locking/atomic: Add atomic_cond_read_acquire() (Will Deacon) [Orabug: 28605196] - rds: CVE-2018-7492: Fix NULL pointer dereference in __rds_rdma_map (Hå kon Bugge) [Orabug: 28565429] {CVE-2018-7492} - irqchip/irq-bcm2836: Add support for DT interrupt polarity (Stefan Wahren) [Orabug: 28596168] - dt-bindings/bcm2836-l1-intc: Add interrupt polarity support (Stefan Wahren) [Orabug: 28596168] - dt-bindings/bcm283x: Define polarity of per-cpu interrupts (Stefan Wahren) [Orabug: 28596168] - x86/spec_ctrl: Only set SPEC_CTRL_IBRS_FIRMWARE if IBRS is actually in use (Patrick Colp) [Orabug: 28610695] [4.14.35-1818.2.2.el7uek] - x86/xen: Calculate __max_logical_packages on PV domains (Prarit Bhargava) [Orabug: 28476586] - x86/entry/64: Remove %ebx handling from error_entry/exit (Andy Lutomirski) [Orabug: 28402921] {CVE-2018-14678} - x86/pti: Don last seen 2020-06-01 modified 2020-06-02 plugin id 118053 published 2018-10-11 reporter This script is Copyright (C) 2018-2019 and is owned by Tenable, Inc. or an Affiliate thereof. source https://www.tenable.com/plugins/nessus/118053 title Oracle Linux 7 : Unbreakable Enterprise kernel (ELSA-2018-4242) (Foreshadow) NASL family Ubuntu Local Security Checks NASL id UBUNTU_USN-3696-1.NASL description It was discovered that an integer overflow existed in the perf subsystem of the Linux kernel. A local attacker could use this to cause a denial of service (system crash). (CVE-2017-18255) Wei Fang discovered an integer overflow in the F2FS filesystem implementation in the Linux kernel. A local attacker could use this to cause a denial of service. (CVE-2017-18257) It was discovered that an information leak existed in the generic SCSI driver in the Linux kernel. A local attacker could use this to expose sensitive information (kernel memory). (CVE-2018-1000204) It was discovered that the wait4() system call in the Linux kernel did not properly validate its arguments in some situations. A local attacker could possibly use this to cause a denial of service. (CVE-2018-10087) It was discovered that the kill() system call implementation in the Linux kernel did not properly validate its arguments in some situations. A local attacker could possibly use this to cause a denial of service. (CVE-2018-10124) Julian Stecklina and Thomas Prescher discovered that FPU register states (such as MMX, SSE, and AVX registers) which are lazily restored are potentially vulnerable to a side channel attack. A local attacker could use this to expose sensitive information. (CVE-2018-3665) Jakub Jirasek discovered that multiple use-after-errors existed in the USB/IP implementation in the Linux kernel. A local attacker could use this to cause a denial of service (system crash) or possibly execute arbitrary code. (CVE-2018-5814) It was discovered that an information leak vulnerability existed in the floppy driver in the Linux kernel. A local attacker could use this to expose sensitive information (kernel memory). (CVE-2018-7755) Seunghun Han discovered an information leak in the ACPI handling code in the Linux kernel when handling early termination of ACPI table loading. A local attacker could use this to expose sensitive informal (kernel address locations). (CVE-2017-13695) It was discovered that a memory leak existed in the Serial Attached SCSI (SAS) implementation in the Linux kernel. A physically proximate attacker could use this to cause a denial of service (memory exhaustion). (CVE-2018-10021). Note that Tenable Network Security has extracted the preceding description block directly from the Ubuntu security advisory. Tenable has attempted to automatically clean and format it as much as possible without introducing additional issues. last seen 2020-06-01 modified 2020-06-02 plugin id 110896 published 2018-07-03 reporter Ubuntu Security Notice (C) 2018-2019 Canonical, Inc. / NASL script (C) 2018-2019 and is owned by Tenable, Inc. or an Affiliate thereof. source https://www.tenable.com/plugins/nessus/110896 title Ubuntu 16.04 LTS : linux, linux-aws, linux-kvm, linux-raspi2, linux-snapdragon vulnerabilities (USN-3696-1) NASL family Fedora Local Security Checks NASL id FEDORA_2017-A3A8638A60.NASL description The 4.12.11 stable kernel update contains a number of important fixes across the tree. Note that Tenable Network Security has extracted the preceding description block directly from the Fedora update system website. Tenable has attempted to automatically clean and format it as much as possible without introducing additional issues. last seen 2020-06-05 modified 2017-09-13 plugin id 103151 published 2017-09-13 reporter This script is Copyright (C) 2017-2020 and is owned by Tenable, Inc. or an Affiliate thereof. source https://www.tenable.com/plugins/nessus/103151 title Fedora 25 : kernel (2017-a3a8638a60) NASL family Oracle Linux Local Security Checks NASL id ORACLELINUX_ELSA-2018-4245.NASL description Description of changes: kernel-uek [3.8.13-118.25.1.el7uek] - x86/spectre_v2: Don last seen 2020-06-01 modified 2020-06-02 plugin id 118055 published 2018-10-11 reporter This script is Copyright (C) 2018-2019 and is owned by Tenable, Inc. or an Affiliate thereof. source https://www.tenable.com/plugins/nessus/118055 title Oracle Linux 6 / 7 : Unbreakable Enterprise kernel (ELSA-2018-4245) (Foreshadow) NASL family Huawei Local Security Checks NASL id EULEROS_SA-2019-1521.NASL description According to the versions of the kernel packages installed, the EulerOS Virtualization for ARM 64 installation on the remote host is affected by the following vulnerabilities : - The NFSv2 and NFSv3 server implementations in the Linux kernel through 4.10.13 lacked certain checks for the end of a buffer. A remote attacker could trigger a pointer-arithmetic error or possibly cause other unspecified impacts using crafted requests related to fs/nfsd/nfs3xdr.c and fs/nfsd/nfsxdr.c.(CVE-2017-7895i1/4%0 - A flaw was found in the Linux kernel last seen 2020-03-19 modified 2019-05-14 plugin id 124974 published 2019-05-14 reporter This script is Copyright (C) 2019-2020 and is owned by Tenable, Inc. or an Affiliate thereof. source https://www.tenable.com/plugins/nessus/124974 title EulerOS Virtualization for ARM 64 3.0.1.0 : kernel (EulerOS-SA-2019-1521) NASL family Fedora Local Security Checks NASL id FEDORA_2017-6764D16965.NASL description The 4.12.11 stable kernel update contains a number of important fixes across the tree. Note that Tenable Network Security has extracted the preceding description block directly from the Fedora update system website. Tenable has attempted to automatically clean and format it as much as possible without introducing additional issues. last seen 2020-06-05 modified 2017-09-12 plugin id 103117 published 2017-09-12 reporter This script is Copyright (C) 2017-2020 and is owned by Tenable, Inc. or an Affiliate thereof. source https://www.tenable.com/plugins/nessus/103117 title Fedora 26 : kernel (2017-6764d16965) NASL family Huawei Local Security Checks NASL id EULEROS_SA-2017-1245.NASL description According to the versions of the kernel packages installed, the EulerOS installation on the remote host is affected by the following vulnerabilities : - The iscsi_if_rx function in drivers/scsi/scsi_transport_iscsi.c in the Linux kernel through 4.13.2 allows local users to cause a denial of service (panic) by leveraging incorrect length validation.(CVE-2017-14489) - The move_pages system call in mm/migrate.c in the Linux kernel before 4.12.9 doesn last seen 2020-06-10 modified 2017-11-16 plugin id 104578 published 2017-11-16 reporter This script is Copyright (C) 2017-2020 and is owned by Tenable, Inc. or an Affiliate thereof. source https://www.tenable.com/plugins/nessus/104578 title EulerOS 2.0 SP1 : kernel (EulerOS-SA-2017-1245) NASL family Ubuntu Local Security Checks NASL id UBUNTU_USN-3762-1.NASL description It was discovered that the VirtIO subsystem in the Linux kernel did not properly initialize memory in some situations. A local attacker could use this to possibly expose sensitive information (kernel memory). (CVE-2018-1118) Seunghun Han discovered an information leak in the ACPI handling code in the Linux kernel when handling early termination of ACPI table loading. A local attacker could use this to expose sensitive informal (kernel address locations). (CVE-2017-13695). Note that Tenable Network Security has extracted the preceding description block directly from the Ubuntu security advisory. Tenable has attempted to automatically clean and format it as much as possible without introducing additional issues. last seen 2020-06-01 modified 2020-06-02 plugin id 117454 published 2018-09-12 reporter Ubuntu Security Notice (C) 2018-2019 Canonical, Inc. / NASL script (C) 2018-2019 and is owned by Tenable, Inc. or an Affiliate thereof. source https://www.tenable.com/plugins/nessus/117454 title Ubuntu 18.04 LTS : linux, linux-aws, linux-azure, linux-gcp, linux-kvm, linux-raspi2 (USN-3762-1) NASL family Huawei Local Security Checks NASL id EULEROS_SA-2019-1972.NASL description According to the versions of the kernel packages installed, the EulerOS installation on the remote host is affected by the following vulnerabilities : - An issue was discovered in the Linux kernel before 5.1.8. There is a double-free caused by a malicious USB device in the drivers/usb/misc/rio500.c driver.(CVE-2019-15212) - An issue was discovered in the Linux kernel before 5.2.3. There is a use-after-free caused by a malicious USB device in the drivers/media/usb/dvb-usb/dvb-usb-init.c driver.(CVE-2019-15213) - An issue was discovered in the Linux kernel before 5.2.6. There is a use-after-free caused by a malicious USB device in the drivers/media/usb/cpia2/cpia2_usb.c driver.(CVE-2019-15215) - An issue was discovered in the Linux kernel before 5.0.14. There is a NULL pointer dereference caused by a malicious USB device in the drivers/usb/misc/yurex.c driver.(CVE-2019-15216) - An issue was discovered in the Linux kernel before 5.2.3. There is a NULL pointer dereference caused by a malicious USB device in the drivers/media/usb/zr364xx/zr364xx.c driver.(CVE-2019-15217) - An issue was discovered in drivers/scsi/qedi/qedi_dbg.c in the Linux kernel before 5.1.12. In the qedi_dbg_* family of functions, there is an out-of-bounds read.(CVE-2019-15090) - An issue was discovered in the Linux kernel before 4.14.11. A double free may be caused by the function allocate_trace_buffer in the file kernel/trace/trace.c.(CVE-2017-18595) - The acpi_ns_evaluate() function in drivers/acpi/acpica/nseval.c in the Linux kernel through 4.12.9 does not flush the operand cache and causes a kernel stack dump, which allows local users to obtain sensitive information from kernel memory and bypass the KASLR protection mechanism (in the kernel through 4.9) via a crafted ACPI table.(CVE-2017-13695) - The acpi_ps_complete_final_op() function in drivers/acpi/acpica/psobject.c in the Linux kernel through 4.12.9 does not flush the node and node_ext caches and causes a kernel stack dump, which allows local users to obtain sensitive information from kernel memory and bypass the KASLR protection mechanism (in the kernel through 4.9) via a crafted ACPI table.(CVE-2017-13694) - The acpi_ds_create_operands() function in drivers/acpi/acpica/dsutils.c in the Linux kernel through 4.12.9 does not flush the operand cache and causes a kernel stack dump, which allows local users to obtain sensitive information from kernel memory and bypass the KASLR protection mechanism (in the kernel through 4.9) via a crafted ACPI table.(CVE-2017-13693) - Heap-based buffer overflow in the logi_dj_ll_raw_request function in drivers/hid/hid-logitech-dj.c in the Linux kernel before 3.16.2 allows physically proximate attackers to cause a denial of service (system crash) or possibly execute arbitrary code via a crafted device that specifies a large report size for an LED report.(CVE-2014-3183) - An issue was discovered in the Linux kernel before 5.0.5. There is a use-after-free issue when hci_uart_register_dev() fails in hci_uart_set_proto() in drivers/bluetooth/hci_ldisc.c.(CVE-2019-15917) - An issue was discovered in the Linux kernel before 5.0.10. There is a use-after-free in the sound subsystem because card disconnection causes certain data structures to be deleted too early. This is related to sound/core/init.c and sound/core/info.c.(CVE-2019-15214) Note that Tenable Network Security has extracted the preceding description block directly from the EulerOS security advisory. Tenable has attempted to automatically clean and format it as much as possible without introducing additional issues. last seen 2020-05-08 modified 2019-09-23 plugin id 129129 published 2019-09-23 reporter This script is Copyright (C) 2019-2020 and is owned by Tenable, Inc. or an Affiliate thereof. source https://www.tenable.com/plugins/nessus/129129 title EulerOS 2.0 SP5 : kernel (EulerOS-SA-2019-1972) NASL family Ubuntu Local Security Checks NASL id UBUNTU_USN-3762-2.NASL description USN-3762-1 fixed vulnerabilities in the Linux kernel for Ubuntu 18.04 LTS. This update provides the corresponding updates for the Linux Hardware Enablement (HWE) kernel from Ubuntu 18.04 LTS for Ubuntu 16.04 LTS. It was discovered that the VirtIO subsystem in the Linux kernel did not properly initialize memory in some situations. A local attacker could use this to possibly expose sensitive information (kernel memory). (CVE-2018-1118) Seunghun Han discovered an information leak in the ACPI handling code in the Linux kernel when handling early termination of ACPI table loading. A local attacker could use this to expose sensitive informal (kernel address locations). (CVE-2017-13695). Note that Tenable Network Security has extracted the preceding description block directly from the Ubuntu security advisory. Tenable has attempted to automatically clean and format it as much as possible without introducing additional issues. last seen 2020-06-01 modified 2020-06-02 plugin id 117455 published 2018-09-12 reporter Ubuntu Security Notice (C) 2018-2019 Canonical, Inc. / NASL script (C) 2018-2019 and is owned by Tenable, Inc. or an Affiliate thereof. source https://www.tenable.com/plugins/nessus/117455 title Ubuntu 16.04 LTS : linux-hwe, linux-azure, linux-gcp vulnerabilities (USN-3762-2) NASL family Fedora Local Security Checks NASL id FEDORA_2018-8D90571CDF.NASL description Security fix for CVE-2017-13693, CVE-2017-13694, CVE-2017-13695. This provides fixes for the user space ACPICA tools only. Any kernel updates are handled separately. This update also includes the upgrade to the 20190209 version of the upstream source. ---------------------------------------- 09 February 2018. Summary of changes for version 20180209 : 1) ACPICA kernel-resident subsystem : Completed the final integration of the recent changes to Package Object handling and the module-level AML code support. This allows forward references from individual package elements when the package object is declared from within module-level code blocks. Provides compatibility with other ACPI implementations. The new architecture for the AML module-level code has been completed and is now the default for the ACPICA code. This new architecture executes the module-level code in-line as the ACPI table is loaded/parsed instead of the previous architecture which deferred this code until after the table was fully loaded. This solves some ASL code ordering issues and provides compatibility with other ACPI implementations. At this time, there is an option to fallback to the earlier architecture, but this support is deprecated and is planned to be completely removed later this year. Added a compile-time option to ignore AE_NOT_FOUND exceptions during resolution of named reference elements within Package objects. Although this is potentially a serious problem, it can generate a lot of noise/errors on platforms whose firmware carries around a bunch of unused Package objects. To disable these errors, define ACPI_IGNORE_PACKAGE_RESOLUTION_ERRORS in the OS-specific header. All errors are always reported for ACPICA applications such as AcpiExec. Fixed a regression related to the explicit type-conversion AML operators (ToXXXX). The regression was introduced early in 2017 but was not seen until recently because these operators are not fully supported by other ACPI implementations and are thus rarely used by firmware developers. The operators are defined by the ACPI specification to not implement the last seen 2020-06-05 modified 2019-01-03 plugin id 120603 published 2019-01-03 reporter This script is Copyright (C) 2019-2020 and is owned by Tenable, Inc. or an Affiliate thereof. source https://www.tenable.com/plugins/nessus/120603 title Fedora 28 : acpica-tools (2018-8d90571cdf)